Announcement

Collapse
No announcement yet.

How to jump to a location without a target label.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to jump to a location without a target label.

    Code:
    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
        #include "\basic\include\win32api.inc"
    
    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    FUNCTION PBmain as LONG
    
        #REGISTER NONE
    
        ! lea eax, label            ; get instruction pointer location
        ! add eax, 12               ; add bytes to it
        ! jmp eax                   ; branch forward to that location
      label:
    
      ' ----------------------
      ' will crash if executed
      ' ----------------------
        ! mov eax, 0
        ! mov eax, [eax]
    
      ' ----------------------
      ' 144 = 90 hex AKA "nop"
      ' ----------------------
        ! db 144,144,144,144,144,144,144,144,144,144
    
        StdOut "How D"
    
        waitkey$
    
    End FUNCTION
    
    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    hutch at movsd dot com
    The MASM Forum

    www.masm32.com

  • #2
    The irony here is that he'd ban you from his own forum for posting 'obvious malware code' like this

    Comment


    • #3
      Try this with a Random jump careful---- it sure GPF

      Code:
      '=======================
      SUB RandJump2()
      LOCAL procaddr AS DWORD, randadd AS DWORD
      procaddr = CODEPTR(PBMain())
      
      randadd = RND(1,50)
      randadd = procaddr + randadd
      ! mov eax, randadd
      ! jmp eax
      END SUB

      Comment


      • #4
        I'm no expert, but I think you are both missing the point of Hutch's code.

        "Not my circus, not my monkeys."

        Comment


        • #5
          Originally posted by Eric Pearson View Post
          I'm no expert, but I think you are both missing the point of Hutch's code.
          They are not alone.
          Real programmers use a magnetized needle and a steady hand

          Comment


          • #6
            I haven't run the program because it has been accused of being malicious and again, I'm no expert. But it looks to me like Hutch's code jumps to a point 12 bytes after the label, so it should do nothing but call StdOut at the end.
            "Not my circus, not my monkeys."

            Comment


            • #7
              But it looks to me like Hutch's code jumps to a point 12 bytes after the label, so it should do nothing but call StdOut at the end.
              Oh, so in other words it's a way to hack code to bypass something inconvenient, like a user ID and/or password check?

              Nice.

              MCM


              Comment


              • #8
                I thank Eric and Bud for actually looking at the code and getting it right. The uses are many and it has little to do with malware and much more to do with protection systems but it also means that simply by feeding a number into an application, you can control a binary task by how far it branches.

                Bob,
                > The irony here is that he'd ban you from his own forum for posting 'obvious malware code' like this
                The irony is that the members of the MASM forum know enough to not say something so foolish.

                Michael,
                If a user ID and/or password check is so badly designed that it can just be jumped over, it deserves to be hacked but then if its so badly designed, why would any hacker want to hack it if the software is of such a low standard that it can be hacked in that manner. Then there is the next problem, any working code takes up space and to do this in a compiled binary it will have to overwrite binary code that is already in the application which will effect the functionality of the application. This suggestion seems to be the result of an overactive imagination rather than one of comprehending what the code does.

                Now whatever anyone does, do not sit up at night sobbing silently while brushing away the tears and contemplating suicide when it comes to the code, what you SEE is what you GET and its doing something very simple that is very hard to misunderstand. At the risk of getting a console display of "How D" if you compile and run the code, you will have risked running StdOut for the effort.

                For any who actually read and understand the posts in this subforum, one of our members asked how to perform a task of this type and as there are still a few of us who try to help out other members, I posted this simple example. The code,

                Code:
                    ! mov eax, 0    ' really should be "xor eax, eax"
                    ! mov eax, [eax]
                Is there to prove that the branch before it works.
                Last edited by Steve Hutchesson; 12 Feb 2018, 05:16 PM. Reason: Lousy auto formatting !
                hutch at movsd dot com
                The MASM Forum

                www.masm32.com

                Comment


                • #9
                  Here is a simple example for Anne who had the right idea.
                  Code:
                  ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                  
                      #include "\basic\include\win32api.inc"
                  
                  ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                  
                  FUNCTION PBmain as LONG
                  
                      #REGISTER NONE
                  
                      LOCAL pproc as DWORD        ' pointer to procedure
                  
                      pproc = CodePtr(testproc)
                  
                      ! push 0
                      ! call pproc
                  
                      ! push 76
                      ! call pproc
                  
                      ! push 152
                      ! call pproc
                  
                      ! push 228
                      ! call pproc
                  
                      waitkey$
                  
                  End FUNCTION
                  
                  ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                  
                  FUNCTION testproc(ByVal distance as DWORD) as DWORD
                  
                      #REGISTER NONE
                  
                      ! lea eax, label
                      ! add eax, distance
                      ! jmp eax
                    label:
                  
                      MessageBox 0,"Greetings 1","Title",%MB_OK
                      ! jmp bye
                      MessageBox 0,"Greetings 2","Title",%MB_OK
                      ! jmp bye
                      MessageBox 0,"Greetings 3","Title",%MB_OK
                      ! jmp bye
                      MessageBox 0,"Greetings 4","Title",%MB_OK
                  
                    bye:
                  
                  End FUNCTION
                  
                  ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                  hutch at movsd dot com
                  The MASM Forum

                  www.masm32.com

                  Comment


                  • #10
                    Here is a simplified way to do a very fast technique to replace "Select Case" in some circumstances. The technique has the same very low overhead for any number of labels and does not perform sequential comparisons to find the right location. The trick is to jump over the application code and get the local label addresses which are not normally available in PB with CodePtr() and once you have the label addresses you can call the procedure with any of the label addresses and only use 2 instructions to get there.

                    Now for anyone who is faint of heart, whatever you do, don't slash your wrists at the sight of fast PowerBASIC.


                    Code:
                    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                    
                        #include "\basic\include\win32api.inc"
                    
                        GLOBAL label1 as DWORD
                        GLOBAL label2 as DWORD
                        GLOBAL label3 as DWORD
                        GLOBAL label4 as DWORD
                    
                    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                    
                    FUNCTION PBmain as LONG
                    
                        LOCAL pproc as DWORD
                    
                        pproc = CodePtr(testproc)       ' get the procedure address
                    
                      ' --------------------------------------------
                      ' 335 is the OFFSET in bytes from the start of
                      ' the procedure to the first CodePtr() call
                      ' --------------------------------------------
                        testproc pproc + 335            ' pass over app code to get the label addresses
                    
                        testproc label4                 ' call each address from the list of labels
                        testproc label3
                        testproc label2
                        testproc label1
                    
                    End FUNCTION
                    
                    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                    
                    FUNCTION testproc(ByVal labl as DWORD) as DWORD
                    
                        ! mov eax, labl
                        ! jmp eax
                    
                        lbl1:
                          MessageBox 0,"Label 1 here !!!!","The title",%MB_OK
                          EXIT FUNCTION
                        lbl2:
                          MessageBox 0,"Label 2 here !!!!","The title",%MB_OK
                          EXIT FUNCTION
                        lbl3:
                          MessageBox 0,"Label 3 here !!!!","The title",%MB_OK
                          EXIT FUNCTION
                        lbl4:
                          MessageBox 0,"Label 4 here !!!!","The title",%MB_OK
                          EXIT FUNCTION
                    
                        label1 = CodePtr(lbl1)
                        label2 = CodePtr(lbl2)
                        label3 = CodePtr(lbl3)
                        label4 = CodePtr(lbl4)
                    
                    End FUNCTION
                    
                    ' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
                    hutch at movsd dot com
                    The MASM Forum

                    www.masm32.com

                    Comment


                    • #11
                      If a user ID and/or password check is so badly designed that it can just be jumped over, it deserves to be hacked
                      Nothing "deserves": to be hacked.

                      Hacking equals stealing (my words).

                      Thou Shalt Not Steal (not my words).

                      But to my bigger point... if this forum is about using PB inline assembly language, then there never is a need to jump as suggested because the writer can always add the target label.

                      It''s like me offering a "helpful tip" that one may replace
                      Code:
                      Z = X**3
                      .. with ....
                      Code:
                      Z=  X * X * X
                      .. or with ...
                      Code:
                      Z =  ALOG ( 3 * Log(x))
                      True, yes; but totally unnecessary because PB DOES support an exponentiation operator.

                      MCM

                      Comment


                      • #12
                        I just don't have the energy for your nonsense today, Michael.
                        "Not my circus, not my monkeys."

                        Comment


                        • #13
                          I did, however, flag your post #7 as a personal attack on Hutch's character. Following up with a Biblical invocation against theft was a nice, judgmental touch, too. Who do you think you are?

                          "Deserves to be hacked" was clearly about as serious as "if you leave the keys in the ignition you deserve to have your car stolen".
                          "Not my circus, not my monkeys."

                          Comment


                          • #14
                            Michael,

                            I am a little disappointed to hear nonsense like this from you.

                            > But to my bigger point... if this forum is about using PB inline assembly language, then there never is a need to jump as suggested because the writer can always add the target label.

                            Now what happens if the author does not want a fixed location (label), what happens if they want to be able to vary the target from the same code just by changing the offset passed to the function ?

                            Now to assist you in technical terms, the hacker does not use the technique above that you have failed to understand, if they want to disable a section of code, the fill it with DB 90 hex (nop) bytes so that the code in the nopped out section does nothing. One of the uses of a variable target is in protection system design and if you wish to be difficult, you put something either side of the target that crashes the app.

                            Code:
                                sub eax, eax
                                mov eax, [eax]    ; watch it go BANG here.
                            You have over a long time tried to shoehorn assembler coding into a safe little box that was a subset of PowerCOBOL but it will never work that way, not only is the PB compilers written in assembler but it has a competent inline assembler built into it and this was by a very good assembler programmer in Bob Zale. While protection systems are only ever peripheral to assembler programming which is mainly used for power and/or speed related issues, it is exactly the right tool for increasing the difficulty of someone hacking the binary.

                            American Standard Version
                            Not that which entereth into the mouth defileth the man; but that which proceedeth out of the mouth, this defileth the man.
                            hutch at movsd dot com
                            The MASM Forum

                            www.masm32.com

                            Comment


                            • #15
                              I did, however, flag your post #7 as a personal attack on Hutch's character. Following up with a Biblical invocation against theft was a nice, judgmental touch, too. Who do you think you are?
                              My opinion that nothing "deserves" to be hacked is as valid an opinion as that which says a poorly designed routine deserves to be hacked. I did, however, offer some basis for my opinion, a basis not offered by the "deserves" opinion. You are free, of course, to ignore my personal rationale for my opinion.

                              I am terribly sorry, but I cannot agree that a contrary opinion is automatically a personal attack on anyone. I have informed Mr. Drake, who let me know the post had been reported as such.

                              Whom do I think I am? A member in standing equal to all others who would post an opinion. .


                              MCM




                              Comment


                              • #16
                                Michael,

                                > Oh, so in other words it's a way to hack code to bypass something inconvenient, like a user ID and/or password check?

                                Now people in glass houses should not throw stones. When you make a foolish suggestion like this, you are not dealing with facts, you are simply showing what you don't understand about how hackers bypass protection systems, especially very poor ones like what you have suggested. Out there in the wild west, you get what you deserve which means that if your security is so poor that it is easily hacked, you are the author of your own demise.

                                Now if you reverted to one of your more sensible opinions where the best protection against hacking is an application that has nothing to hack in it, you would have something useful to say again.

                                Now lets come back to what the code is doing, in a binary file there is no such thing as a label, there are only Intel mnemonics and where you have a jump of either conditional or unconditional encoding, the jump branches from the current instruction pointer to another instruction pointer location and the instructions from that location onwards are executed in the normal manner.

                                Now as far as Biblical invocation, its a two edged sword. "Thou shalt not steal" is well known but so is another of the ten commandments, "Thou shalt not bear false witness against thy neighbour". When you make the inference of the support of theft, you are not stating a competing opinion, you are making an accusation.

                                While I see you as a person of many talents, being a holy roller is not one of them so I suggest that Billy Sunday has nothing to worry about.
                                hutch at movsd dot com
                                The MASM Forum

                                www.masm32.com

                                Comment


                                • #17
                                  Late to the game here, just wanted to point out Hutch's code. It is used to stop types of system corruption, opposed to "hacking" It is the so called stop gap, mote, barb wire fence, drawbridge or trap door defense.

                                  This is hard to defeat since you do not know looking at the dissembled code what this jump is testing. If you bounce through the system calls in a debugger you will see such stuff and unless you take a lot of time and effort to figure out what the jump is testing.Even at this point I would still be skeptical if you could hack a system DLL to avoid the trap.


                                  Pseudo code

                                  jump to this address here

                                  if a = b then return <<<<< this is a single test the code returns and continues, if the condition is meet. If it fails, it falls through and hits the trap code.

                                  if the jump was not predetermined and the jump was based on the fly calculation, it could hit here after the test code and hit the trap door.

                                  ! nop
                                  ! nop
                                  ! nop
                                  ! xor eax, eax
                                  ! mov eax, [eax]
                                  ! nop
                                  ! nop
                                  ! nop

                                  ====== unrelated code boundary==== could be a traps trap
                                  bla
                                  bla
                                  bla

                                  A dozen what.

                                  Comment


                                  • #18
                                    Due to more pressing matters I haven't been able to program or look at the forum for a little while but looking now immediately recognised this thread as something of interest to me as evidenced by https://forum.powerbasic.com/forum/u...t-using-labels
                                    only 9 threads away.
                                    Hutch thank you ever so much for the code and your trouble and I'm really sorry for the rubbish you've had to endure in supplying it.
                                    It's very much appreciated and I look forward to using it as soon as I can get back to programming.

                                    Comment

                                    Working...
                                    X